Author: nion Date: 2010-07-25 18:14:05 +0000 (Sun, 25 Jul 2010) New Revision: 15022 Modified: data/CVE/list Log: - CVE-2010-2490 fixed in mumble 1.2.2-4, bug has been assigned - bozohttpd bug filed - wget bug filed - CVE-2010-1622 fixed in libspring-2.5-java 2.5.6.SEC02-1 - CVE-2010-0825/emacs22 bug filed, emacs23 has been fixed in 23.2+1-1 - camserv removal requested Modified: data/CVE/list ==================================================================--- data/CVE/list 2010-07-24 20:42:21 UTC (rev 15021) +++ data/CVE/list 2010-07-25 18:14:05 UTC (rev 15022) @@ -815,9 +815,8 @@ TODO: check CVE-2010-2490 [murmur DoS via malformed client query] RESERVED - - mumble <unfixed> (low) + - mumble 1.2.2-4 (bug #587713) [lenny] - mumble <no-dsa> (Minor issue) - TODO: File bug - qt4-x11 <undetermined> (low; bug #587713) NOTE: unclear whether is qt''s or sqlite''s fault CVE-2010-2489 (Buffer overflow in Ruby 1.9.x before 1.9.1-p429 on Windows might allow ...) @@ -1197,9 +1196,8 @@ NOTE: of the weird CVE assignments on this one CVE-2010-2320 [information disclosure: existing vs non-existing users] RESERVED - - bozohttpd <unfixed> (low) + - bozohttpd <unfixed> (low; bug #590298) [lenny] - bozohttpd <no-dsa> (Minor information leak) - TODO: File bug CVE-2010-2319 (SQL injection vulnerability in index.php in IDevSpot TextAds 2.08 ...) NOT-FOR-US: IDevSpot TextAds CVE-2010-2318 (Cross-site scripting (XSS) vulnerability in cms_data.php in ...) @@ -1412,7 +1410,7 @@ - libwww-perl 5.835-1 (low) [lenny] - libwww-perl <no-dsa> (Minor issue) CVE-2010-2252 (GNU Wget 1.12 and earlier uses a server-provided filename instead of ...) - - wget <unfixed> + - wget <unfixed> (low; bug #590296) CVE-2010-2251 (The get1 command, as used by lftpget, in LFTP before 4.0.6 does not ...) - lftp 4.0.6-1 (low) [lenny] - lftp <no-dsa> (Minor issue) @@ -1550,9 +1548,8 @@ RESERVED CVE-2010-2195 [bozohttpd DoS through code miscompilation] RESERVED - - bozohttpd <unfixed> + - bozohttpd <unfixed> (low; bug #590298) [lenny] - bozohttpd <not-affected> (Only affects 20090522 to 20100512) - TODO: File bug CVE-2010-2194 RESERVED CVE-2010-2193 (Multiple unspecified vulnerabilities in the CA (1) PSFormX and (2) ...) @@ -3029,7 +3026,7 @@ CVE-2010-1623 RESERVED CVE-2010-1622 (SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before ...) - - libspring-2.5-java + - libspring-2.5-java 2.5.6.SEC02-1 (medium) CVE-2010-1621 (The mysql_uninstall_plugin function in sql/sql_plugin.cc in MySQL ...) - mysql-5.1 5.1.46-1 - mysql-dfsg-5.0 <not-affected> (Vulnerable code not present) @@ -5466,13 +5463,12 @@ - emacs21 <removed> (low) [lenny] - emacs21 <no-dsa> (Minor issue) NOTE: Only exploitable when configured as setgid mail, which isn''t set by default - - emacs22 <unfixed> (low) + - emacs22 <unfixed> (low; bug #590301) [lenny] - emacs22 <no-dsa> (Minor issue) - xemacs21 <unfixed> (low) [lenny] - xemacs21 <no-dsa> (Minor issue) [lenny] - xmacs21 <no-dsa> (Minor issue) - - emacs23 <unfixed> (low) - TODO: check and file bugs, can still be fixed through spus by the maintainers + - emacs23 23.2+1-1 (low) CVE-2009-4664 (Firewall Builder 3.0.4, 3.0.5, and 3.0.6, when running on Linux, ...) - fwbuilder 3.0.7-1 (bug #547390; medium) [lenny] - fwbuilder <not-affected> (only versions 3.0.4, 3.0.5 and 3.0.6 are affected) @@ -6810,10 +6806,6 @@ - postgresql-8.2 <removed> - postgresql-8.3 <removed> (low; bug #567058) - postgresql-8.4 8.4.3-1 -CVE-2010-XXXX [bozohttpd DoS on incomplete requests] - - bozohttpd 20090522-2 (low; bug #566325) - [lenny] - bozohttpd <no-dsa> (Minor issue) - [etch] - bozohttpd <no-dsa> (Minor issue) CVE-2010-2444 (parse/Csv2_parse.c in MaraDNS 1.3.03, and other versions before ...) - maradns 1.4.03-1 (low; bug #584587) [lenny] - maradns <no-dsa> (minor issue) @@ -10156,6 +10148,7 @@ - arts <not-affected> (Uses absolute path to the sound backend) - bochs <not-affected> (additional hardening in this package prevents this type of attack; bug #559799) - camserv <unfixed> (low; bug #559800) + NOTE: requested camserv removal [lenny] - camserv <no-dsa> (Minor issue) [etch] - camserv <no-dsa> (Minor issue) - collectd 4.8.2-1 (low; bug #559801)